Security proof for QKD systems with threshold detectors 
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In this paper, we rigorously prove the intuition that in security proofs for BB84 one may regard 
an incoming signal to Bob as a qubit state. From this result, it follows that all security proofs for 
BB84 based on a virtual qubit entanglement distillation protocol, which was originally proposed by 
Lo and Chau [H.-K. Lo and H. F. Chau, Science 283, 2050 (1999)], and Shor and Preskill [P. W. 
Shor and J. Preskill, Phys. Rev. Lett. 85, 441 (2000)], are all valid even if Bob's actual apparatus 
cannot distill a qubit state explicitly. As a consequence, especially, the well-known result that a 
higher bit error rate of 20% can be tolerated for BB84 by using two-way classical communications 
is still valid even when Bob uses threshold detectors. Using the same technique, we also prove the 
security of the Bennett-Brassard-Mermin 1992 (BBM92) protocol where Alice and Bob both use 
threshold detectors. 



I. INTRODUCTION 

Quantum key distribution (QKD) is a way to share 
secret keys between separated parties (Alice and Bob) 
with negligibly small leakage of its information to an 
unauthorized third party, Eve. The first QKD proto- 
col, BB84, was introduced by Bennett and Brassard in 
1984 [l[, and its unconditional security was first proven 
by Mayers Q in a bit complicated manner. After the 
first proof, researchers have tried to prove its security in 
a simple manner. Some proofs are based on the entan- 
glement distillation protocol (EDP) idea [!, 0, H, 0] , and 
others rely on uncertainty principle 0, 0] or information- 
theoretic approach [8j. 

In EDP-based security proofs, we usually assume im- 
plicitly that Bob has a detector which can discriminate 
between vacuum, single-photon, and multi-photon states 
in order to distill a qubit state, while this is not the case 
for the security proof based on uncertainty principle 0] , 
i.e., the conventional on-off detectors (threshold detec- 
tors) can be used in this case. On the other hand, the 
EDP-based security proof can apply to many protocols, 
including BB84 with two-way classical communications 
[|, with decoy states [|, for B92 [nj, and so on [TO], 
however, the security proof based on uncertainty princi- 
ple cannot directly apply to these protocols. Thus, it is 
important to consider from experimental or theoretical 
viewpoints how to accommodate the use of threshold de- 
tectors in EDP-based security proof, or to consider how 
to apply the uncertainty principle idea to the other pro- 
tocols. 

In this paper, we first prove unconditional security of 
BB84 with threshold detectors based on the argument of 
virtual EDP, which is valid regardless of one-way or two- 



way classical communications. In order to show its secu- 
rity, instead of assuming photon-number discriminating 
detectors, we introduce an explicit squash operator in the 
virtual protocol, which transforms Bob's incoming multi- 
photon state to a qubit state. Then we suppose that they 
run a virtual EDP on the obtained qubit pairs in order to 
extract secret keys. If one-way classical communications 
are used in this setup, the secret key rate R from the 
single photon part is R = 1 — i?2(e" it ) — H 2 (ep h ), where 
e^'it and are the phase and the bit error rates in the 
virtual protocol. As a consequence of introducing an ex- 
plicit squash operator, all of the formulas for key genera- 
tion rate given in the preceding literatures of EDP-based 
security proofs are valid with threshold detectors, even 
when multi-photon emission is taken into account [f| or 
with decoy states @. Our formulation also applies to 
the case of two-way classical communications [5|, hence 
the bit error rate threshold of 20% or higher is true with 
threshold detectors as well. 

By using the same technique, we also prove the security 
of the Bennett-Brassard-Mermin 1992 (BBM92) protocol 
[l2l ]. where Alice and Bob both use threshold detectors 
(see Fig 13]). In the BBM92 protocol, a third party sup- 
plies entangled states to Alice and Bob, and they measure 
it with the same set of bases as in BB84. If both the re- 
ceivers have photon-number discriminating detectors and 
can reject incoming multi-photon states, this protocol is 
theoretically equivalent to BB84. When threshold detec- 
tors are used, however, the security of this protocol is not 
straightforward, and we will give the security proof for 
this scheme in this paper. 

The assumptions that we make for theoretical descrip- 
tion of BB84 are as follows. First, it is assumed that Al- 
ice's signals are block diagonalized with respect to photon 
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number, and thus one can treat events having different 
photon numbers as distinct classical events. Moreover, 
we assume that Alice's mixed states in the z basis and 
the one in the x basis are the same, i.e., there is no basis 
information flow from Alice's source. 

We also suppose that when Alice emits a multi-photon 
state, all information regarding that bit is freely leaked 
to Eve due to the photon- number splitting attack [l3l |. 
It is proven, however, that we can still generate a secret 
key as long as Alice's signals contain a sufficiently high 
ratio of single-photon states [6(. This ratio can be well- 
monitored by the decoy state method 0], resulting in 
longer distances of communications. Thus, only single- 
photon emission part is important, to which we restrict 
our attention in this paper. 

Another assumption we make is that all imperfections 
of Alice's and Bob's devices, i.e., non-unit quantum ef- 
ficiency of Bob's detectors, dark counts, miss-alignment, 
etc., are under Eve's control. This is the so-called un- 
trusted devise scenario, and with this hypothesis we are 
in a situation where Alice's and Bob's devices are all per- 
fect. In addition, we suppose that Bob's phase modulator 
acts on multi-photon states as linear operations on ten- 
sor product states. In other words, they transform each 
photon contained in a signal independently, whether they 
are in a superposition or not (for more details, see Sec. 

MM- 

Finally, when Bob's two detectors click simultaneously 
(coincidence count), he assigns a random bit to the cor- 
responding event. 

These assumptions are also made in our security proof 
of BBM92 except that Alice, as well as Bob, plays the role 
of a receiver. That is, imperfections of apparatuses are 
attributed to Eve's attack, and Alice's and Bob's phase 
modulators transform their incoming multi-photon states 
as tensor products. If a coincident-detection event oc- 
curs on either Alice's or Bob's side, he or she manually 
replaces it by a random bit. We emphasize in the case of 
BBM92 that we do not put any assumption on incoming 
signals. 

This paper is organized as follows. We describe and 
formulate our model for actual QKD systems based on 
BB84 in Sec. [Til an d convert it into a virtual EDP in Sec. 
Hm Sec. |IV]is devoted to the security proof for BBM92. 
Then finally we conclude in Sec. [Vj 



II. DESCRIPTION OF OUR MODEL 

In this section we illustrate our setup (FigO}. As in 
usual implementations of the BB84 protocol, Alice emits 
out signal pulses whose phases are chosen randomly out 
of {0, 7r, 7r/2, 3tt/2}. Among them we regard a set of 
phase choices {0, n} (respectively, {ir/2, 3n/2}) as the 
encodings of bit value b £ {0, 1} in the z basis (respec- 
tively, in the x basis). After traveling Eve's regime, the 
signal pulse is again phase-modulated according to Bob's 
random basis choice, and then enters the detection unit 



consisting of a 50:50 beam splitter followed by two thresh- 
old detectors (Det 2th), which read out the bit value b. 
Even when coincident detections occur on both detec- 
tors, Bob does not discard the event and instead assigns 
a random value for the output is- 

As mentioned in the Introduction, the goal of this 
paper is to rigorously prove the security of QKD even 
when the receiver (or the receivers) uses threshold detec- 
tors which cannot distinguish photon numbers. Hence 
throughout the paper, we will always take into account 
the possibility that states which a receiver obtains con- 
tain more than one photon. To this end, we will below 
formulate general iV-photon states and describe how they 
are transformed by Bob's phase modulations. 
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FIG. 1: (Color online) Schematic of the actual BB84 protocol. 
Det Z t h denotes Bob's threshold detectors. When two detec- 
tors click simultaneously (coincidence count), Bob assigns a 
random bit (Rand) to the corresponding event. 



A. Symmetry under particle permutations and the 
formulation of Bob's quantum operations 

Consisting of identical particles with bosonic statistics, 
a state received by Bob is always symmetric under parti- 
cle permutations [3] [13] ■ Hence an TV-particle state in 
Bob's Hilbert space Hb can be expanded with basis 



\S 



N-b,bl 



y/N\(N - b)\b\ 
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N-b lb) 



permutations) 



where |0f- b l b ) = \0 Z ■ ■ ■ Z 1 Z ■ ■ ■ 1,) = |0,)®-»® 
|0 Z ) <g> |l z ) <g> •• • ® |1 2 ), with Z and l z repeating N - b 
and b times respectively. \S v N _ bb )B are defined in the 
y basis similarly (we define y basis and x basis as 
\j v ) = (|0 2 ) + (-l)ii|l,»/V2 (j = 0,1) and \j x ) = 
(|0 2 ) + (— iy\l z ))/V2, respectively). Thus for example, 
\S§, 2 ) = \W, whereas |5f fl ) = ^ (|0,1,) + \l z z )) 

and \Sl 2 ) = ^ (\0ylyly) + \ly0yly) + \lyly0y)) . 

Using this basis, quantum non-demolition (QND) 
measurement of N photon, to be mentioned be- 
low, can be represented by Kraus operators E N — 

EtoP(\S Z N-b,b)B), where P(|V» := J^><# 

As is usually the case for a linear operator on 
tensor product states, or as one typically encoun- 
ters when adding angular momenta [14j, Bob's phase 
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modulator acts on these symmetric states indepen- 
dently in a qubit by qubit manner. For example, 
bit flip X operates on |S§ )0 ) as X\Q„) ® X\0 Z ) ® 
X\Q g ) =: A® 3 |S*f ) =: D{X)\S% fi ), and similarly 
the Hamadard gate transforms \S*i) as D(H)\Sf x ) — 
(H\0 Z ) ® H\l z ) + H\l z ) <g> H\%)), where 



in the z basis. If one regards qubit operations as rotations 
of spin- 1/2, these symmetric iV-photon states correspond 
to a spin-iV/2 representation. 

In fact these formulations are equivalent to those using 
creation and annihilation operators. For example, let a\ 
be the annihilation operator corresponding to \b z ), then 



'N-b.b, 



\s 



corresponds to 



N-b.b/ 



y/(N-b)lb\ 

and D{iX) is reproduced by 



D(iX) = exp 



Photon detection in general corresponds to a pro- 
jective measurement with respect to photon-number 
states in the z basis {\S N ), \S^_ 1 j), ■ ■■ , \Sq n )}. Since 
Bob's threshold detectors cannot discriminate photon 
numbers in our case, it is assumed that they can 
only distinguish between vacuum \Sq ), single detection 
events |S^ ), 

{I^AT-l,!/! " ' J \Sl.N-l)} 



Sq n ), and coincident detection events 



III. VIRTUAL PROTOCOL 

In this section, in order to prove the security of our 
QKD, we convert the actual BB84 protocol to an equiv- 
alent virtual protocol (Fig. [2]). We do this conversion in 
two steps. First, immediately after Bob's phase modula- 
tor, we introduce an explicit squash operator F, which 
projects an TV-particle state received from Eve into a 
qubit state (see EDP1 in Fig. Then by using the in- 
variancc of F under the Hadamard transformation H , we 
replace Bob's phase modulator with a Hadamard opera- 
tion that follows F (EDP2 in Fig. [2]). In this EDP2, Alice 
and Bob obtain a pair of qubit states with Hadamard op- 
erators, as if Bob's incoming states were always a single- 
photon state. Hence we can prove security of our QKD 
system by following exactly the same argument as in 
Shor-Preskill or in GLLP @]. That is, Alice and Bob 
can perform a virtual EDP to extract secret keys. 

First, on Alice's side we assume that, instead of 
randomly choosing the phase of signal states out of 
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FIG. 2: (Color online) Schematics of our virtual EDPs for 
BB84. In the first protocol (EDP1), Bob's states are projected 
to a two-dimensional vector space TLd by a squash operator F. 
By using the Hadamard invariance of F, we may interchange 
the order of Bob's phase modulations and F, and obtain the 
second protocol (EDP2). In EDP2, Alice and Bob both have 
a qubit space Ha or TLd with Hadamard operations acting 
on them. Thus by performing a virtual EDP in these spaces, 
they can extract secret keys. 



{0, tt/2, 7r, 37r/4}, Alice takes the following procedure; she 
prepares one of the Bell states 

\$ + )ae := -±= (\0 z )a\0 z )e + |1,>a|1,)b) , 

keeps the first one half in Ha (reference state) , and sends 
the second one half in He (signal state) to Eve. The 
converted protocol is still equivalent to the original one, 
since she can effectively emit a random bit %a € {0, 1} by 
measuring the reference state with z- and x-bases. 

On receiving the signal pulse, Eve generates an arbi- 
trary state in Bob's Hilbert state Hb, which in general 
may be a superposition of any photon number N. As 
a result, Alice and Bob end up sharing a state pab € 
Ha ®Hb- Without sacrificing security, we may simplify 
the analysis further by assuming that pab is actually 
given from Eve to Alice and Bob. 

Then on Bob' s side, we assume that immediately af- 
ter receiving a pulse, he performs a QND measurement 
on the photon number N, described by Kraus operators 
{-E/jv} wgn- Since this measurement does not disturb the 
statistics of Bob's and Eve's data, we can introduce this 
measurement without loss of generality. To be more pre- 
cise, Bob's sifted keys are the same regardless of per- 
forming QND or not. Moreover, since the measurement 
outcomes are kept secret from Eve, she cannot behave 
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differently depending on whether he performs the QND 
or not. In other words, the QND measurement here is 
introduced only as a convenient tool for proving the se- 
curity, and Bob need not perform this measurement in 
the actual protocol. For the sake of simplicity, we fix 
the value of N from now on, and sometimes suppress its 
indices. Following this measurement, Bob projects his 
state to a qubit state using a squash operator F which 
converts a state in his (N + l)-dimensional Hilbert space 
Tig to that in a qubit space H-d- This consists of Kraus 
operators 



F b .i 



-(JV-l)/2, 



(1) 





for all combinations of < b, b' < N satisfying b — b' = 
1 mod 4. With these operators, an arbitrary state p £ 
H.B is converted to 



F(p) = E F <v 



(2) 



6,6' 



in H.D- As shown in Appendix I A 1[ these operators in- 
deed satisfy J^b b' F b b>Fb,b r = Is, and thus form a legiti- 
mate quantum operation. 

This protocol (EDP1 in Fig. [5]) can indeed be consid- 
ered as equivalent to the original one, since, as we shall 
show in Appendix IA 21 the POVM elements in the vir- 
tual protocol and in the actual protocol corresponding to 
Bob's sifted key bit %b = 0, 1 take exactly the same forms. 
Hence Eve can never distinguish the two protocols. 

Moreover, as we shall show in Appendix IA 3| our 
squash operation F is in fact invariant under the 
Hadamard transformation H. That is, for an arbitrary 
input state p S TLb, we have 



HF(p)H^ = F (D(H)pD\H)) 



(3) 



In other words, applying the Hadamard transformation 
in Bob's (N + l)-dimensional space TLb is equivalent to 
applying it in the squashed qubit state TLd- Hence we 
may assume that Bob's Hadamard transformation and 
the squash operator F are actually interchanged, as in 
EDP2 in Fig. [2] 

Then by supposing that, instead of immediately con- 
ducting z-basis measurements, Alice and Bob perform 
a virtual EDP on a qubit-pair state in their squashed 
qubit spaces TLa ®7~Ld, the standard argument for secu- 
rity proofs due to Shor and Preskill [4| can be directly 
applied. This means that, even when threshold detectors 
are used, all the previous securityproofs for BB84 based 
on a virtual EDP (e.g., 0, d, @, HI) are valid, including 
the ones involving two-way classical communications [5[ 
or decoy states Q. 



IV. BBM92 PROTOCOL WITH BOTH PARTIES 
USING THRESHOLD DETECTORS 

By the same arguments as above, it is straightforward 
to prove the security of the BBM92 protocol where Alice 
and Bob both use threshold detectors. 

In the actual BBM92 protocol, entangled states are 
supplied to Alice and Bob from a third party who is not 
necessarily trusted. Upon receiving pulses, Alice and 
Bob modulate and measure them in randomly chosen 
x or z basis, and then output sifted key bits by select- 
ing out events where their choices of basis match. If a 
coincident-detection event occurs, the receiver assigns a 
random value to the output bit %a or is (Fig. [3]) . 

Actual BBM92 Protocol p„... 
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FIG. 3: (Color online) Schematic of the actual BBM92 pro- 
tocol. "Ent. Source" denotes a third party that supplies 
entangled states to Alice and Bob. This third party may be 
malicious in general. 
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FIG. 4: (Color online) Schematics of our virtual EDPs cor- 
responding to BBM92. In EDP1, Alice and Bob both ap- 
ply squash operations F and obtain qubit states in Tic and 
TLd- By using the Hadamard invariance of F, we may inter- 
change the order of phase modulations and F's, and obtain 
EDP2, where both parties apply the Hadamard gate H on 
the squashed qubit states Tie and TLd- 

In this case as well, by using the equivalence of POVM 
elements for z-basis measurements (Appendix IA 2|) . this 
protocol can be equivalently converted into the first vir- 
tual protocol (EDP1 in FigH]), where Alice and Bob ap- 
ply squash operations F after phase modulations. Then 
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due to the Hadamard-invariance of F in Eq. ([3]) , we may 
interchange the order of phase modulations and F's. As 
a result, we obtain our second virtual protocol (EDP2 in 
Fig® j where both parties apply H on the squashed qubit 
states He and Hd- Here He denotes Alice's qubit space. 
In this EDP2, the standard Shor-Preskill-type argument 
for security proof can be applied to prove the security. 



V. CONCLUSION 

In this paper, we gave a rigorous security proof for 
BB84, which is valid even when the actual Bob uses 
threshold detectors. The key ingredient here was the 
introduction of an explicit squash operator F in the vir- 
tual protocol, which projects Bob's iV-photon state into a 
qubit space and still preserves their transformation prop- 
erty under the Hadamard transformation. Our results 
show that all the formulas for key generation rates ob- 
tained in previous proofs based on a virtual qubit entan- 
glement distillation protocol are valid even with thresh- 
old detectors. In particular, one can tolerate a higher 
error rate up to 20% with two-way classical communica- 
tions m. 

In addition, by using the same technique, we also 
proved the security of BBM92 protocol, where Alice and 
Bob both use threshold detectors. 

Note added. Recently, similar results regarding con- 
struction of squash operators were obtained indepen- 
dently by Beaudry, Moroder and Lutkcnhaus 



ig. a 



security proof of BBM92 with threshold detectors was 
also given independently by Koashi et al. [l6j, although 
the techniques used there were different from ours. 
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1. Completeness as a quantum operator 

First we show that F is a legitimate quantum opera- 
tion. That is, we demonstrate that 



Fsum — I_b , 



(Al) 



where Is is the unit operator in Hb, and F sum is defined 
as 



b.b' 



To this end, we work in a basis {\S^ ), . . . , \ S% N )}, and 
prove f b ^ = Sip for 

First, it is obvious from the definition of F in (fTJ that 
fb.b' = for b 7^ b'. On the other hand, if b — b', a simple 
calculation shows that for a fixed value of b, 



h.b = 2-^ Yl 



b-c=±l 



N 



where the sum is over all values of c satisfying b — c = 
±1 mod 4. For b even, this equals 

fi* = *- {N - 1] E ( N c ) = 1. 

c:odd V / 

as anticipated. The case of odd b can be shown similarly. 
This completes the proof. 



2. Equivalence of z measurements in the actual and 
the virtual protocols 

Next we show that Bob's z measurement in the virtual 
protocol affects the entire quantum system in exactly the 
same manner as in the actual one. That is to say, with 
the POVM corresponding to a sifted key bit ig = 0, 1 
defined as 



N-l 



APPENDIX A: PROPERTIES OF OUR SQUASH 
OPERATOR 



In this appendix we discuss and prove some important 
properties of our squash operator F defined in Eq. |T]). 
Without loss of generality, we here consider only Bob's 
filter, and denote the (N + l)-dimensional space of in- 
coming pulses by Hb and the target qubit space by Hd- 
Note that the arguments proved here can immediately 
apply when Alice uses F in BBM92 as well. 



pac _ P(\S( 1 _ iB ) NiBN )) + - ^2 P(\Sn-c,c)) 



respectively for the virtual and the actual protocols, we 
shall show that P vi = P ac . If one notes that P n vi + PY 1 = 
Ib holds from Eq. (|Aip . it is rather convenient to consider 
a POVM element corresponding to the Z operator 

Pz = P{\S z N , Q ))-P{\Sl N )), 



pvi 



J2 F l' ZF ^'- 

6,6' 
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and show that 



Pz = p z- 



(A2) 



Note that P^ = P^ can be shown from (|A2|) and by 
using the relation Pf = P vi - and P vi + P x vi = l B , 
and similar relations for the actual protocol. 
Now, from the definition of F in Eq. ([T]), 



Pf = 2~ N+ 



b,b' 



N\ fN 



\^N-b.b)(^N-b',b' I + \^N-b',b')(^N-b,b\ 



where the sum is over all < b, b' < N satisfying b — b' 
1 mod 4. This can be rewritten further as 



6,6' 



N\ /N 
b (b 



where the sum is again over all < b, b' < N satisfying 
b - b' = 1 mod 2. Eqs. ££3) and (fM| prove Eq. (|A2jl . 
This completes the proof. 



3. Invariance under the Hadamard transformation 

In this subsection we prove in Eq. ([3]), i.e., the 
Hadamard-invariance of F. Since \SN-b.b) transforms 
under the Hadamard transformation H as 

D(H)\S N - b!b )=u 2b - N \S N - b>b ), 

with to :— exp(i7r/4), we have 

F b , b ,D(H) = 2-( N -V/ 2 u; 2b - N x 



where the sum is over all b, b' with b — b' = 1 mod 2. 
Next, expanding \S^_ b b ) with \Sf f _ bb ) gives 



,)\ sV N- b ,b)( sy N-b>,b>\ ( A3 ) r / , N \ i, N \ 

WU) l^^-Ml-^^J |0,)(^-6',6' 



6=0 



l I l 4 -'Af-6.6/' 



and from these relations we obtain 



6,6' 



M/i !VW^-6',6'l> (A4) 



, ,26-AT-l ffF 

W tit b . b i 



That is, each operator F^f,/ yields a phase factor uj 2b ~ N+1 
when is applied. However, such factor does not change 
the operations of F as a Kraus operator. For example, 
when applied to an arbitrary mixed state p € Ti-B, it 
yields 

F bM D{H)pD\H)Fl b , = HF b>b ,pFl b ,H\ 

By summing these over all combinations of b, b' satisfying 
b - b' = 1 mod 4, we obtain Eq. $5§. 
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